Data Processing Addendum

Plain-English: when you process EU/UK personal data through Bridger, this DPA covers it. The EU SCCs (2021) are baked in by reference — you don’t have to sign them separately.

This Data Processing Addendum (“DPA”) supplements the Bridger Terms of Service and applies whenever Levenhall LLC (“Bridger,” “Processor”) processes Personal Data on behalf of you (“Customer,” “Controller”) in connection with the Service. The European Commission Standard Contractual Clauses (Module Two: Controller to Processor, 2021/914) are incorporated herein by reference and apply to any transfer of Personal Data from the EEA, UK, or Switzerland to the United States.

• Personal Data has the meaning given in the GDPR / UK GDPR.
• Data Subject means an identified or identifiable natural person.
• Sub-processor means a third-party processor engaged by Bridger to process Personal Data on Customer’s behalf.
• Applicable Data Protection Law includes GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any analogous national or state law in jurisdictions where Customer or Customer’s Data Subjects reside.

Subject matter

Provision of the Bridger federal-procurement intelligence and marketplace platform.

Duration

Term of the Customer’s subscription, plus the retention window described in Section 6 below.

Nature and purpose

Hosting, indexing, scoring, transmitting, and surfacing personal data submitted by Customer through the Service, for the purposes of authentication, personalised intelligence ranking, marketplace introductions, and email digest delivery.

Categories of Data Subjects

• Customer’s employees, contractors, and authorised users
• Counterparties contacted through marketplace engagements (provider firm contacts, lobbyist firm contacts)

Categories of Personal Data

• Identifiers: name, email, role, organisation
• Profile data: NAICS, capability statements, certifications
• Engagement data: messages, watchlists, pipeline entries, proposals
• Technical data: IP address, user agent, session metadata

• Process Personal Data only on documented Controller instructions, which include the Terms of Service and this DPA.
• Ensure persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures (Annex II below) to protect Personal Data.
• Engage Sub-processors only with Customer’s general authorisation as described in Section 5; notify Customer of changes via /trust/sub-processors with at least 30 days’ notice.
• Assist Customer with Data Subject rights requests, DPIAs, and regulator inquiries.
• Notify Customer without undue delay (and within 72 hours where feasible) of any Personal Data Breach.
• On expiry of the subscription, delete or return Personal Data per Section 6.

Customer authorises Bridger to engage Sub-processors. The current list of Sub-processors, including their location and purpose, is published at /trust/sub-processors. Bridger remains liable for the acts and omissions of its Sub-processors as if they were its own.

Customer may object to a new Sub-processor within 30 days of publication; if the objection cannot be resolved, Customer may terminate the affected portion of the Service for cause and receive a pro-rated refund.

On termination of the subscription, Bridger will (i) make Personal Data available for export by Customer for 30 days, (ii) delete Personal Data from production systems within 30 days of subscription end, and (iii) purge Personal Data from backups within 90 days. Audit logs may be retained for the 365-day security-investigation window described in our Privacy Policy.

Where Bridger transfers Personal Data from the EEA, UK, or Switzerland to the United States or other third countries, it relies on the EU Standard Contractual Clauses (Module Two: Controller to Processor, 2021/914), the UK International Data Transfer Addendum, and the Swiss FDPA-compliant adapted SCCs as applicable. The Clauses are incorporated herein by reference; Customer is the “data exporter” and Bridger is the “data importer.”

Customer may audit Bridger’s compliance with this DPA, at Customer’s expense, by review of Bridger’s most recent SOC 2 Type II report (when available) and a written response to a reasonable security questionnaire. On-site audits are not available.

The categories of Data Subjects, Personal Data, and processing activities are as described in Section 3 above.

• Encryption. TLS 1.3 in transit; AES-256 at rest.
• Access control. Role-based access; separate admin / contractor / provider / lobbyist roles; bcrypt-hashed passwords; MFA infrastructure shipped (currently disabled platform-wide pending operator decision).
• Network security. CSP with strict-dynamic + per-request nonces, Origin/Referer same-origin CSRF defence, Vercel WAF.
• Audit logging. 365-day retention on administrative mutations; queryable by super_admin only.
• Incident response. Documented at /trust/incidents; 72-hour Customer notification commitment for Personal Data Breaches.
• Background checks + training. All personnel with production access have completed background checks and annual security training.